CVE-2024-53981 (High) detected in python-multipart-0.0.5.tar.gz

[mend-bolt-for-github[bot]]

CVE-2024-53981 - High Severity Vulnerability

Vulnerable Library - python-multipart-0.0.5.tar.gz

A streaming multipart parser for Python

Library home page: https://files.pythonhosted.org/packages/46/40/a933ac570bf7aad12a298fc53458115cc74053474a72fbb8201d7dc06d3d/python-multipart-0.0.5.tar.gz

Path to dependency file: /backend/requirements.txt

Path to vulnerable library: /backend/requirements.txt

Dependency Hierarchy:

• :x: python-multipart-0.0.5.tar.gz (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

python-multipart is a streaming multipart parser for Python. When parsing form data, python-multipart skips line breaks (CR \r or LF \n) in front of the first boundary and any tailing bytes after the last boundary. This happens one byte at a time and emits a log event each time, which may cause excessive logging for certain inputs. An attacker could abuse this by sending a malicious request with lots of data before the first or after the last boundary, causing high CPU load and stalling the processing thread for a significant amount of time. In case of ASGI application, this could stall the event loop and prevent other requests from being processed, resulting in a denial of service (DoS). This vulnerability is fixed in 0.0.18.

Publish Date: 2024-12-02

URL: CVE-2024-53981

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2024-12-02

Fix Resolution: 0.0.19

---

Step up your Open Source Security Game with Mend here